Using Sparkle: Security
To make sure updates are legitimate, Sparkle offers two levels of security to developers. For those who want some basic verification of what's downloaded, there are MD5 checksums. For serious security, there are key-pair signatures via DSA.
Providing MD5 sums
This is really more for error-checking: making sure the file’s not corrupt before installing it. If you're serious about security, use DSA. You can provide an MD5 sum for Sparkle to check against using the sparkle:md5Sum attribute on your <enclosure>. For example:
<enclosure sparkle:md5Sum="1fdc47479c8559a00bc58ebce4d84944"
url="http://you.org/yourapp_2.0.zip"
length="12345"
type="application/octet-stream"/>
This value was generated with the console tool md5. Just pass it your filename, and it’ll spit out a sum.
Providing DSA signatures
Sparkle supports base64-encoded DSS1 signatures of a SHA1 hash for secure verification of archives. Following is a walkthrough on how to generate keys and sign a file. If you know what you’re doing, skip this.
DSA tutorial
DSA works with two keys: a private one and a public one. You distribute the public one in your app (Info.plist) and sign things with the private one. Your app can verify signatures with just the public signature but can’t create new signatures. And so long as you use enough bits, you’re pretty much guaranteed secure. To make keys, type these commands into your terminal:
openssl dsaparam 2048 < /dev/urandom > dsaparam.pem openssl gendsa dsaparam.pem -out dsa_priv.pem openssl dsa -in dsa_priv.pem -pubout -out dsa_pub.pem
Now you’ve got two key files: dsa_priv.pem (private) and dsa_pub.pem (public). You can delete dsaparam.pem. Keep dsa_priv.pem secret and back it up—make sure you keep it safe, because if you lose it, your current userbase will have to download their next update manually.
Whenever you want to sign a file, you’ll use this lengthy command. It first takes an SHA1 hash of your file, then encrypts it with your private key, then encodes it to base64:
openssl dgst -sha1 -binary < FILENAME_HERE \
| openssl dgst -dss1 -sign dsa_priv.pem \
| openssl enc -base64
Then, for a release, set the signature with the sparkle:dsaSignature attribute on <enclosure>:
<enclosure sparkle:dsaSignature="MC0CFBfeCa1JyW30nbkBwainOzrN6EQuAh=" url="http://you.org/yourapp_2.0.zip" length="12345" type="application/octet- stream"/>
End of DSA tutorial
You’ll need to set the SUPublicDSAKey key in Info.plist to the contents of your public key (dsa_pub.pem). Make sure to use a text editor for this, as Property List Editor breaks with multi-line strings.
Once you’re ready to use DSA in your app, you need to enable it by setting the SUExpectsDSASignature key to <true/> (or Yes in PLE). Once this is on, DSA signatures will be required for all future releases, so be careful that you don't lose your private key.